First medical apps built with Apple's ResearchKit won't share data for commercial gain

Developed by the Icahn School of Medicine at Mount Sinai and LifeMap Solutions, the Asthma Health app is designed to facilitate asthma patient education and self-monitoring, promote positive behavioral changes and reinforce adherence to treatment plans according to current asthma guidelines. The study tracks symptom patterns in an individual and potential triggers for these exacerbations ...

As concern grows about data collection by mobile apps, Apple and companies involved with its new ResearchKit software development framework for medical studies say users of the first five apps have nothing to worry about.

Access to health data collected by the apps will be restricted to approved medical researchers and barred from commercial use, and the apps won't delve into the personal contents stored on a smartphone, according to the companies.

Sage Bionetworks, a nonprofit biomedical research organization in Seattle, handles collecting, de-identifying and storing of the health data gathered from the five apps developed with ResearchKit, Christine Suver, principal scientist, head of open science data governance at Sage, said in an email interview.

"We are as careful as we can be about keeping data as confidential as possible," said Suver. An independent review board has looked over the protocols for each study and the consent process and weighed the risks of participating in this research against the benefits, she said.

Apple announced ResearchKit on Monday during an event that centered on the Apple Watch. ResearchKit allows developers to create apps that can be used for medical research studies, essentially turning a smartphone into a diagnostic device. A person downloads the app from the iTunes store, consents to participate in the study and performs the functions asked by the app, which include completing tests and entering medical history information

The first five apps developed with ResearchKit debuted Monday. The framework will be generally available in April. For now, ResearchKit can only be used to develop iPhone apps. But Apple is making ResearchKit available as open source, meaning someone could extend it so that it could be used to build apps for other mobile OSes, like Android.

While Apple spoke enthusiastically about the potential of ResearchKit to help with medical studies, it also addressed concerns over the handling of health data by mobile apps. Nothing is more sensitive than a person's medical data, said Jeff Williams, Apple's senior vice president of operations, adding that people will determine how to share their medical data. "Apple will not see your data," he said.

Sage serves as a central hub for the data collected by the apps, Suver said. Sage helped develop two of the five apps, one for Parkinson's disease, called Parkinson mPower and the other, Share the Journey, for studying symptoms after breast cancer treatment.

The data Sage receives from the medical research apps contains health and personal information including a person's name, email address and date of birth. Sage then strips out the personal information, encrypts it and stores the data on a server. A randomly generated code is associated with the person's study data, "and maintains an encrypted mapping between participant account and participant study data," said Suver.

Only study organizers and IT staff can access the research data, which is stored on a secure cloud server, said Suver, reiterating that the information is even off limits to Apple.

Those servers are operated by Amazon Web Services, according to the privacy policy for the asthma app developed by Mt. Sinai Hospital in New York City. Mt. Sinai and Sage control the AWS account for that app, which allows people to participate in an asthma research study, the policy said.

HIPAA (Health Insurance Portability and Accountability Act) regulations don't apply to data that is acquired and shared for research, said Suver. HIPAA is a U.S. law designed to protect people's health care information.

"Instead, the informed consent that a participant agrees to governs how the data can be used," she said.

Still, the data is encrypted when it is transmitted to Sage and the cloud systems storing the information are HIPAA compliant, said Eric Schadt, director of the Icahn Institute at Mount Sinai. "We meet or exceed industry standards regarding the secure communication and storage of sensitive data," he said.

Personal details like first and last names, signatures and email addresses are required in any medical study, said Alan Yeung, a cardiologist at Stanford Medicine who was involved with the development of the hospital's app, MyHeart Counts, which deals with heart health. A signature shows people have agreed to take part in the research and an email address is necessary to send participants the study's results, he added.

Signing the consent form gives Stanford Medicine researchers access to the health data. Stanford Medicine may share aggregated data with other approved researchers who request it, said Yeung. Participants, though, have the option of opting out of having their data included in the aggregate data set.

In cases where the data is shared with researchers outside of Stanford Medicine, it does not contain personal information since it is compiled, said Yeung. Researchers, for example, could ask to see the aggregate data on the average distance a person walks when exercising.

The health data collected by the medical study app can't be linked to a phone number nor shared with for-profit organizations or insurance companies, said Yeung.

However, Stanford Medicine will have the key to identify people who participate in the smartphone medical research studies. The hospital would only identify a person if it needed to contact them because of a problem, said Yeung.

"That key is only sitting with us. Nobody else has it. Not Apple, not Sage," Yeung said. He emphasized that people must opt-in to these studies and sign a consent form that explains how their data is being used and shared.

Asked what entity will be in charge of ResearchKit going forward, Apple only said that the open-source framework would be added to over time, and declined to be more specific.

Yeung would like to see ResearchKit ported to Android so that studies aren't limited to participants with iPhones. "Apple agreed with that as well," he said.

Sage will handle the data generated by the five apps for the "forseeable future," said Schadt. Stanford Medicine's Yeung said the hospital could manage the data, but since ResearchKit just launched, Sage is handling that function for each app.

"Eventually, will that be the case? I'm not quite sure," he said.

Sage isn't tied to Apple and there aren't technical reasons preventing the organization from eventually supporting Android, said Sage's Suver, who declined to comment on future plans.

Apps developed with ResearchKit aren't required to use Sage and Apple isn't endorsing the nonprofit's data collection services, said Suver. The institutions behind the first set of apps agreed to use Sage.

"Sage would be happy to discuss how our services could be used by other groups wanting to build mobile study apps," she said.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.